Google search engine indexes invitations to WhatsApp groups (including links to private groups), which makes them visible and accessible to any user who wants to join the group.
The journalist Jordan Wildon drew attention to the problem. He found that the WhatsApp “Invite to Group link” feature allows Google indexing these groups, making them available in a general search on the Web, as links are distributed outside the secure WhatsApp service.
“Your WhatsApp groups may not be as secure as you think they are. The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups”, — wrote Jordan Wildon.
Private WhatsApp conversations are usually only accessible via an invite code handed out to group members by the chat moderator. But this code is simply a string of text and a URL, and it seems that at least some of these are being indexed so they are findable by anyone via Google.
During the investigation, Motherboard reporters found private groups using a specific Google search. In particular, they managed to join a group dedicated to NGOs accredited by the UN and gain access to a list of all 48 participants and their phone numbers.
If desired, group administrators can make the chat link invalid, however, according to Wildon, in such cases, WhatsApp only generates a new link and does not always disable the original one.
As explained Facebook/WhatsApp representative Alison Bonnie, similarly with any content distributed through public channels, if the invitation link is shared on the Internet, any WhatsApp user can find it.
“Links that users want to share privately with trusted people should not be published on a public site”, — Bonnie said.
But ethical hacker @HackrzVijay said he had reported the issue to WhatsApp owner Facebook back in November, and Facebook had not done anything about it. In fact, it’s an “intentional product decision”, Facebook said, and group admins “can invalidate the link if so desired.”
In addition, although Facebook representatives were “surprised” that the links are indexed by Google, in WhatsApp / Facebook admitted that they can’t control Google indexing.
Group chats seem to be a WhatsApp pain point. Only recently I wrote that an attacker in a WhatsApp group chat could disable messengers of other participants, and I wonder what would happen to the chats of serious organizations if cybercriminals knew about these two vulnerabilities at once?